• Jason Wang's avatar
    net: drop too large packet early · 25c01bd1
    Jason Wang authored
    We try to detect and drop too large packet (>INT_MAX) in 1592a994
    ("net: ignore packet size greater than INT_MAX") during packet
    delivering. Unfortunately, this is not sufficient as we may hit
    another integer overflow when trying to queue such large packet in
    qemu_net_queue_append_iov():
    
    - size of the allocation may overflow on 32bit
    - packet->size is integer which may overflow even on 64bit
    
    Fixing this by moving the check to qemu_sendv_packet_async() which is
    the entrance of all networking codes and reduce the limit to
    NET_BUFSIZE to be more conservative. This works since:
    
    - For the callers that call qemu_sendv_packet_async() directly, they
      only care about if zero is returned to determine whether to prevent
      the source from producing more packets. A callback will be triggered
      if peer can accept more then source could be enabled. This is
      usually used by high speed networking implementation like virtio-net
      or netmap.
    - For the callers that call qemu_sendv_packet() that calls
      qemu_sendv_packet_async() indirectly, they often ignore the return
      value. In this case qemu will just the drop packets if peer can't
      receive.
    
    Qemu will copy the packet if it was queued. So it was safe for both
    kinds of the callers to assume the packet was sent.
    
    Since we move the check from qemu_deliver_packet_iov() to
    qemu_sendv_packet_async(), it would be safer to make
    qemu_deliver_packet_iov() static to prevent any external user in the
    future.
    
    This is a revised patch of CVE-2018-17963.
    
    Cc: qemu-stable@nongnu.org
    Cc: Li Qiang <liq3ea@163.com>
    Fixes: 1592a994 ("net: ignore packet size greater than INT_MAX")
    Reported-by: 's avatarLi Qiang <liq3ea@gmail.com>
    Reviewed-by: 's avatarLi Qiang <liq3ea@gmail.com>
    Signed-off-by: 's avatarJason Wang <jasowang@redhat.com>
    Reviewed-by: 's avatarThomas Huth <thuth@redhat.com>
    Message-id: 20181204035347.6148-2-jasowang@redhat.com
    Signed-off-by: 's avatarPeter Maydell <peter.maydell@linaro.org>
    25c01bd1
Name
Last commit
Last update
..
block Loading commit data...
chardev Loading commit data...
crypto Loading commit data...
disas Loading commit data...
exec Loading commit data...
fpu Loading commit data...
hw Loading commit data...
io Loading commit data...
libdecnumber Loading commit data...
migration Loading commit data...
monitor Loading commit data...
net Loading commit data...
qapi Loading commit data...
qemu Loading commit data...
qom Loading commit data...
scsi Loading commit data...
standard-headers Loading commit data...
sysemu Loading commit data...
ui Loading commit data...
elf.h Loading commit data...
glib-compat.h Loading commit data...
qemu-common.h Loading commit data...
qemu-io.h Loading commit data...
trace-tcg.h Loading commit data...